CVE-2023-42362 PoC — Teller 跨站脚本漏洞

Source

https://github.com/Mr-n0b3dy/CVE-2023-42362

Associated Vulnerability

Title:Teller 跨站脚本漏洞 (CVE-2023-42362)
Description:Teller是一款金融服务应用程序，可让您进行在线交易，例如汇款和收款、购买通话时间、支付账单等。 Teller v.4.4.0版本存在安全漏洞，该漏洞源于远程攻击者可以通过上传精心设计的文件来执行任意命令并获取敏感信息。

Readme

# CVE-2023-42362
# Author: Abdelrahman Mohamed (Mr-n0b3dy)
## Linked-in: https://www.linkedin.com/in/abdelrhman-mohamed-ashraf-7bb43410b/
## Vulnerability Name: Unrestricted File Upload that led to ATO
## Severity: High
## Product: NCR teller web app
## Version: 4.4.0
## Description:
The Unrestricted File Upload leading to Stored Cross-Site Scripting (XSS) vulnerability is a security issue identified within the web application. This vulnerability arises due to a lack of proper input validation in the file upload functionality.
## Impact:
Attackers can upload a malicious file containing JavaScript code that enables them to hijack the admin session, which is already stored in the local storage. This breach could result in an account takeover of the admin account, granting them full access to administrator functionalities.
## Recommendations:
Install the latest version of the NCR Teller web app.

File Snapshot


 [4.0K]  /data/pocs/fe9421dd66eeb4dd9b91734c7e9c6476edaf7cb7
├── [ 312]  POC
└── [ 906]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!